Memory Dump

ICS Lab.
Introduction
• Memory Forensics
• Memory Dump
• Get memory image from real memory(Physical Memory, RAM).
• Memory Analysis
• Get some information from memory data.
• Live Analysis – From live memory
• Static data Analysis – From memory image

• Memory Forensics usually used for Digital investigation,

Malware Analysis.
 How to dump Physical Memory?
 Hardware-based
 Cold Boot Attack
 The effect can be lengthened by cooling the memory,
which the researchers did using an old party trick – a
can of compressed air held upside down. Chilling the
memory can allow data to persist for many seconds,
even minutes.
 Firewire Attack
 Get Memory Using Firewire Interface
 A leading method of memory dump using hardware
consists in sending the memory to a DMA controller
through the PCI bus in order to acquire a part or all of
the memory.

 Popular Software
 Windows-based : Dump-It, MDD
 Linux-based : Lime Forensics
 Vmware-based : ‘Snapshot’ function of
VMware
Memory Forensics Experiments
• We will deal about user accounts of Windows&Linux

• Experiment 1
• Windows Based Memory dump & Analysis
• Windows accounts information from memory image

• Experiment 2
• Linux Based Memory dump & Analysis (Using Vmware)
• Linux accounts information from memory image
Experiment 1
• Windows Based Memory dump & Analysis
• Windows accounts information from memory image

• What we needs?
• Dumpit : Memory dump software for Windows
• Volatility : Memory Analysis tool
Experiment 1
• Step 1
• Memory Dump using DumpIt
• Just excute ‘dumpit.exe’ and type ‘y’
• We can find ‘.raw’ file in same folder as ‘dumpit.exe’ file
 Experiment 1
• Step 2
• Install volatility
• 1 : Install python ‘python-2.7.8.msi’
• volatility is based on python.
• 2 : Install volatility ‘volatility-2.4.win32.exe’
• 3 : Check run volatility
• run ‘volatility-2.4.standalone.exe’ in CMD
• Running result like below screenshot
Experiment 1
• Step 3
• Check image information of ‘.raw’ file
• Command : ‘volatility-2.4.standalone.exe imageinfo –f DUMPFILE’
• It takes some minutes. (It takes 3 minutes to analyse 2GB memory)
• We have to remember Profiles
Experiment 1
• Step 4
• Extract Hashdump from Memory Image
• The "hashdump" post module will dump the local users
accounts on the compromised host using the registry.
• volatility provides ‘hashdump’ plugin

• Command
• volatility.exe PLUGIN –f MEMORYIMAGE –profile=PROFILE > OUTPUTFILE

Then, We can find OUTPUTFILE in Volatility folder

Experiment 1
• Step 5
• Examine Hashdump file Using tools
• Using john the ripper
• john the ripper is well-known password cracking tool using dictionary
attack, bruteforce attack, etc.
• command : john.exe --format=nt
• We have five accounts in Hashdump file, but 2 of these have not
password, another 2 of these have very easy password.
• One left, it takes very long time for cracking
Experiment 1
• Step 5
• Using Cain&Abel
• Cain&Abel also well-known password cracking tool.
• It support GUI for Windows
• We can check ‘Time Left’ of brute-force attack.
• Only set password length under 8, it takes 3days (It depends system speed)
Experiment 1
• Step 5
• Using Cain&Abel
• For check the success message on this experiment, I set password length = 6
• It takes only 3 minutes.
• User account ‘ajou’s password hashes cracked.
• If we have well-made password dictionary, It need only short time to crack.
Experiment 1
• Additional Plugins for volatility
• Volatility provides many plugins to get information from memory
image.
• you can check command rules and plugins using ‘volatility.exe –h’
• Here is easily working plugins. Try it.
• dlllist, pslist, pstree, sockets
• Reference
• http://resources.infosecinstitute.com/memory-forensics-and-analysis-using-
volatility/
Experiment 2
• Linux Based Memory dump & Analysis (Using
Vmware)
• Linux accounts information from VM memory image
Experiment 2
• Memory dump using ‘Snapshot’ function of VMware
• ‘Snapshot’ will make backup the OS full status for restore that
status anytime. It also make full backup of Memory to ‘.vmem’
file
Experiment 2
• Step 1
• Memory dump using ‘Snapshot’ function of VMware
• Make ‘Snapshot’ at Linux login status.
• It tested various Ubuntu version.
Experiment 2
• Step 1
• Memory dump using ‘Snapshot’ function of VMware
• We can found memory image from ‘VMWARE’ folder.
• We have to check recently numbered Snapshot.
• And check the modify time.
Experiment 2
• Step 2
• Find Password shadow from Memory Image
• Fine a Text string ‘root:$6$’ from Memory Image Using any HEX
Editor
• Recent Ubuntu Linux’s password shadow files are started with
‘root:$6$’
Experiment 2
• Step 3
• Copy shadow file from memory image
• Just Drag from ‘root:$6$’ to last ‘:::’
• Then write to new file.
Experiment 2
• Step 4
• Use John the Ripper to Craking
• Command : john.exe SHADOWFILE
• It found 1 password hash from test memory Image.
References
• Cain&Abel : http://www.oxid.it/cain.html
• John The Ripper : http://www.openwall.com/john/
• Volatility : https://github.com/volatilityfoundation
• Python : https://www.python.org/
• Physical Memory Attacks : https://privatecore.com/resources-overview/physical-memory-
attacks/
• RAM Forensics : https://www.ethicalhacker.net/features/root/using-cold-boot-attacks-
forensic-techniques-penetration-tests

• JungTaek Seo, Seokjun Lee, Taeshik Shon, A study on memory dump analysis based on
digital forensic tools, Peer-to-Peer Networking and Applications, Springer, Online
Published, June 2013
• Seokjun Lee, Taeshik Shon, Physical Memory Collection and Analysis in SmartGrid
Embedded Platform, MONET, ACM/Springer, Volume 19 Issue 3, June 2014, Pages 382-391